Squid configuration directive logformat

History:

New code %ssl::>negotiated_version to display
negotiated TLS version of the client connection.

New code %ssl::<negotiated_version to display
negotiated TLS version of the last server or peer connection.

New code %ssl::>received_hello_version to display the
TLS version of the Hello message received from TLS client.

New code %ssl::<received_hello_version to display the
TLS version of the Hello message received from TLS server.

New code %ssl::>received_supported_version to display
the maximum TLS version supported by the TLS client.

New code %ssl::<received_supported_version to display
the maximum TLS version supported by the TLS server.

New code %ssl::>negotiated_cipher to display the
negotiated cipher of the client connection.

New code %ssl::<negotiated_cipher to display the
negotiated cipher of the last server or peer connection.

Changes to logformat in Squid-3.5:

New format code %credentials to log the client credentials token.

New format code %ssl::>sni to TLS client SNI sent to Squid.

New format code %tS to log transaction start time in
"seconds.milliseconds" format, similar to the existing access.log
"current time" field (%ts.%03tu) which logs the corresponding
transaction finish time.

New format codes %<rs and %>rs to log request URL
scheme from client or sent to server/peer respectively.

New format codes %<rd and %>rd to log request URL
domain from client or sent to server/peer respectively.

New format codes %<rP and %>rP to log request URL
port from client or sent to server/peer respectively.

Changes to logformat in Squid-3.4:

New format code %note to log a transaction annotation linked to the
transaction by ICAP, eCAP, a helper, or the note squid.conf directive.

New format code %>qos to log client connection TOS/DSCP value set by Squid.

New format code %<qos to log server connection TOS/DSCP value set by Squid.

New format code %>nfmark to log client connection netfilter mark set by Squid.

New format code %<nfmark to log server connection netfilter mark set by Squid.

Changes to logformat in Squid-3.3:

New token %ssl::bump_mode to log the SSL-bump mode type performed on a request.
Logs values of: -, none, client-first, or server-first.

New token of %ssl::>cert_subject to log the Subject field of a SSL certificate received from the client.

New token of %ssl::>cert_issuer to log the Issuer field of a SSL certificate received from the client.

For older versions than 3.3 see the linked pages above

Configuration Details:

Usage:
logformat <name> <format specification>
Defines an access log format.
The <format specification> is a string with embedded % format codes
% format codes all follow the same basic structure where all but
the formatcode is optional. Output strings are automatically escaped
as required according to their context and the output format
modifiers are usually not needed, but can be specified if an explicit
output format is desired.
% ["|[|'|#|/] [-] [[0]width] [{arg}] formatcode [{arg}]
" output in quoted string format
[ output in squid text log format as used by log_mime_hdrs
# output in URL quoted format
/ output in shell \-escaped format
' output as-is
- left aligned
width minimum and/or maximum field width:
[width_min][.width_max]
When minimum starts with 0, the field is zero-padded.
String values exceeding maximum width are truncated.
{arg} argument such as header name etc. This field may be
placed before or after the token, but not both at once.
Format codes:
% a literal % character
sn Unique sequence number per log line entry
err_code The ID of an error response served by Squid or
a similar internal error identifier.
err_detail Additional err_code-dependent error information.
note The annotation specified by the argument. Also
logs the adaptation meta headers set by the
adaptation_meta configuration parameter.
If no argument given all annotations logged.
The argument may include a separator to use with
annotation values:
name[:separator]
By default, multiple note values are separated with ","
and multiple notes are separated with "\r\n".
When logging named notes with %{name}note, the
explicitly configured separator is used between note
values. When logging all notes with %note, the
explicitly configured separator is used between
individual notes. There is currently no way to
specify both value and notes separators when logging
all notes with %note.
Connection related format codes:
>a Client source IP address
>A Client FQDN
>p Client source port
>eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
>la Local IP address the client connected to
>lp Local port number the client connected to
>qos Client connection TOS/DSCP value set by Squid
>nfmark Client connection netfilter mark set by Squid
la Local listening IP address the client connection was connected to.
lp Local listening port number the client connection was connected to.
<a Server IP address of the last server or peer connection
<A Server FQDN or peer name
<p Server port number of the last server or peer connection
<la Local IP address of the last server or peer connection
<lp Local port number of the last server or peer connection
<qos Server connection TOS/DSCP value set by Squid
<nfmark Server connection netfilter mark set by Squid
Time related format codes:
ts Seconds since epoch
tu subsecond time (milliseconds)
tl Local time. Optional strftime format argument
default %d/%b/%Y:%H:%M:%S %z
tg GMT time. Optional strftime format argument
default %d/%b/%Y:%H:%M:%S %z
tr Response time (milliseconds)
dt Total time spent making DNS lookups (milliseconds)
tS Approximate master transaction start time in
<full seconds since epoch>.<fractional seconds> format.
Currently, Squid considers the master transaction
started when a complete HTTP request header initiating
the transaction is received from the client. This is
the same value that Squid uses to calculate transaction
response time when logging %tr to access.log. Currently,
Squid uses millisecond resolution for %tS values,
similar to the default access.log "current time" field
(%ts.%03tu).
Access Control related format codes:
et Tag returned by external acl
ea Log string returned by external acl
un User name (any available)
ul User name from authentication
ue User name from external acl helper
ui User name from ident
un A user name. Expands to the first available name
from the following list of information sources:
- authenticated user name, like %ul
- user name supplied by an external ACL, like %ue
- SSL client name, like %us
- ident user name, like %ui
credentials Client credentials. The exact meaning depends on
the authentication scheme: For Basic authentication,
it is the password; for Digest, the realm sent by the
client; for NTLM and Negotiate, the client challenge
or client credentials prefixed with "YR " or "KK ".
HTTP related format codes:
REQUEST
[http::]rm Request method (GET/POST etc)
[http::]>rm Request method from client
[http::]<rm Request method sent to server or peer
[http::]ru Request URL from client (historic, filtered for logging)
[http::]>ru Request URL from client
[http::]<ru Request URL sent to server or peer
[http::]>rs Request URL scheme from client
[http::]<rs Request URL scheme sent to server or peer
[http::]>rd Request URL domain from client
[http::]<rd Request URL domain sent to server or peer
[http::]>rP Request URL port from client
[http::]<rP Request URL port sent to server or peer
[http::]rp Request URL path excluding hostname
[http::]>rp Request URL path excluding hostname from client
[http::]<rp Request URL path excluding hostname sent to server or peer
[http::]rv Request protocol version
[http::]>rv Request protocol version from client
[http::]<rv Request protocol version sent to server or peer
[http::]>h Original received request header.
Usually differs from the request header sent by
Squid, although most fields are often preserved.
Accepts optional header field name/value filter
argument using name[:[separator]element] format.
[http::]>ha Received request header after adaptation and
redirection (pre-cache REQMOD vectoring point).
Usually differs from the request header sent by
Squid, although most fields are often preserved.
Optional header name argument as for >h
RESPONSE
[http::]<Hs HTTP status code received from the next hop
[http::]>Hs HTTP status code sent to the client
[http::]<h Reply header. Optional header name argument
as for >h
[http::]mt MIME content type
SIZE COUNTERS
[http::]st Total size of request + reply traffic with client
[http::]>st Total size of request received from client.
Excluding chunked encoding bytes.
[http::]<st Total size of reply sent to client (after adaptation)
[http::]>sh Size of request headers received from client
[http::]<sh Size of reply headers sent to client (after adaptation)
[http::]<sH Reply high offset sent
[http::]<sS Upstream object size
[http::]<bs Number of HTTP-equivalent message body bytes
received from the next hop, excluding chunked
transfer encoding and control messages.
Generated FTP/Gopher listings are treated as
received bodies.
TIMING
[http::]<pt Peer response time in milliseconds. The timer starts
when the last request byte is sent to the next hop
and stops when the last response byte is received.
[http::]<tt Total time in milliseconds. The timer
starts with the first connect request (or write I/O)
sent to the first selected peer. The timer stops
with the last I/O with the last peer.
Squid handling related format codes:
Ss Squid request status (TCP_MISS etc)
Sh Squid hierarchy status (DEFAULT_PARENT etc)
SSL-related format codes:
ssl::bump_mode SslBump decision for the transaction:
For CONNECT requests that initiated bumping of
a connection and for any request received on
an already bumped connection, Squid logs the
corresponding SslBump mode ("server-first" or
"client-first"). See the ssl_bump option for
more information about these modes.
A "none" token is logged for requests that
triggered "ssl_bump" ACL evaluation matching
either a "none" rule or no rules at all.
In all other cases, a single dash ("-") is
logged.
ssl::>sni SSL client SNI sent to Squid. Available only
after the peek, stare, or splice SSL bumping
actions.
ssl::>cert_subject
The Subject field of the received client
SSL certificate or a dash ('-') if Squid has
received an invalid/malformed certificate or
no certificate at all. Consider encoding the
logged value because Subject often has spaces.
ssl::>cert_issuer
The Issuer field of the received client
SSL certificate or a dash ('-') if Squid has
received an invalid/malformed certificate or
no certificate at all. Consider encoding the
logged value because Issuer often has spaces.
ssl::<cert_errors
The list of certificate validation errors
detected by Squid (including OpenSSL and
certificate validation helper components). The
errors are listed in the discovery order. By
default, the error codes are separated by ':'.
Accepts an optional separator argument.
%ssl::>negotiated_version The negotiated TLS version of the
client connection.
%ssl::<negotiated_version The negotiated TLS version of the
last server or peer connection.
%ssl::>received_hello_version The TLS version of the Hello
message received from TLS client.
%ssl::<received_hello_version The TLS version of the Hello
message received from TLS server.
%ssl::>received_supported_version The maximum TLS version
supported by the TLS client.
%ssl::<received_supported_version The maximum TLS version
supported by the TLS server.
%ssl::>negotiated_cipher The negotiated cipher of the
client connection.
%ssl::<negotiated_cipher The negotiated cipher of the
last server or peer connection.
If ICAP is enabled, the following code becomes available (as
well as ICAP log codes documented with the icap_log option):
icap::tt Total ICAP processing time for the HTTP
transaction. The timer ticks when ICAP
ACLs are checked and when ICAP
transaction is in progress.
If adaptation is enabled the following codes become available:
adapt::<last_h The header of the last ICAP response or
meta-information from the last eCAP
transaction related to the HTTP transaction.
Like <h, accepts an optional header name
argument.
adapt::sum_trs Summed adaptation transaction response
times recorded as a comma-separated list in
the order of transaction start time. Each time
value is recorded as an integer number,
representing response time of one or more
adaptation (ICAP or eCAP) transaction in
milliseconds. When a failed transaction is
being retried or repeated, its time is not
logged individually but added to the
replacement (next) transaction. See also:
adapt::all_trs.
adapt::all_trs All adaptation transaction response times.
Same as adaptation_strs but response times of
individual transactions are never added
together. Instead, all transaction response
times are recorded individually.
You can prefix adapt::*_trs format codes with adaptation
service name in curly braces to record response time(s) specific
to that service. For example: %{my_service}adapt::sum_trs
The default formats available (which do not need re-defining) are:
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
logformat referrer %ts.%03tu %>a %{Referer}>h %ru
logformat useragent %>a [%tl] "%{User-Agent}>h"
NOTE: When the log_mime_hdrs directive is set to ON.
The squid, common and combined formats have a safely encoded copy
of the mime headers appended to each line within a pair of brackets.
NOTE: The common and combined formats are not quite true to the Apache definition.
The logs from Squid contain an extra status and hierarchy code appended.